Download - Intro to CIF

Collective Information Framework (CIF)

Public spammer/malware/botnet data -->CIF --> Results!

CIF

What is CIF and Why Care

Developed by Wes Young at REN-ISACCIF is a Feed Indexer, Feed Generator, Data parser and normalizer.

Built for Response Teams, Forensic Teams

Allows you to query multiple feeds of data that are consumed easily and quickly. Also, you can add your own data set.

Have you seen this?

http://www.mcafee.com/us/mcafee-labs/threat-intelligence.aspx

Or This?

http://projecthoneypot.org/list_of_ips.php

Or even this?

Guess they are all consuming some sort of Feed

They are Intelligence Services Offered by Security

Companies

What Feeds? Where can I get that Data?

Any set of data that can be parsed using regex and has distinctive fields that would help you with your investigation.

Examples:Alien Vaults Zeus Trackerphishtank

http://reputation.alienvault.com/reputation.data



https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

http://www.phishtank.com/

http://www.phishtank.com/

What Have I done? Public Service!

Request an API Key from http://www.josehelps.com/p/feeds.htmlIndex Feeds:

● spamhaus.org● zeustracker.abuse.ch● alienvault.com● malwaredomains.com● dragonresearchgroup.org - cymru● sshbl.org● danger.rulez.sk● malware.com.br● malwareblacklist.com● threatexpert.com● malwaredomainlist.com

● malc0de.com● paste bin rsa dump - http://pastebin.com/raw.

php?i=yKSQd5Z5● phishtank.com● shadowserver.org● spyeyetracker.abuse.ch● infiltrated.net

http://www.josehelps.com/p/feeds.html



http://pastebin.com/raw.php?i=yKSQd5Z5



Use CasesREST APIhttps://feed.josehelps.com/api/188.127.229.182?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11dhttps://feed.josehelps.com/api/72.52.2.1?apikey=e2d33811-d415-404a-9c4a-04ea04c2b11d&fmt=json

Browser Pluginaddweb.ru, or 193.106.173.198, or725c56b06b00b5a9f31e72e01f6ee164...

Perl Clientcif -q addweb.rucif -q 193.106.173.198for i in `cat maliciousthings.txt`; do cif -r need-to-know -Sq $i >> results.txt; done

Automated Mitigation and Alerting

Perl Client Only:

cif -q infrastructure/network -s low -p snortcif -q infrastructure/spam -s medium -c 95cif -q domain/malware -p bindzone -c 30 -s lowcif -q infrastructure/botnet -s low -c 50 -p snortcif -q infrastructure/botnet -c 50 -p iptablesReference: http://code.google.com/p/collective-intelligence-framework/wiki/WebAPI

http://code.google.com/p/collective-intelligence-framework/wiki/WebAPI

What d

Ideas and Questions

● pastebin keyword parser that generates a feed

● php based or similar web UI for perl client● vmware appliance● Honeypot Integration ● Splunk App

Thank you for your time

Contacting me:

twitter: [email protected]

http://www.josehelps.com

http://www.josehelps.com